Re: Connection fail-over

[Dan Williams]

On Wed, 2017-04-12 at 10:44 -0500, Alex Ferm wrote:
> I don't think there is a built-in fail-over mechanism, but you should
> be 
> able to write a dispatcher script to handle it. 
> https://developer.gnome.org/NetworkManager/1.6/NetworkManager.html

Yeah, that was the general idea.  There are unfortunately a lot of ways
to say "this connection has failed" (IP packet loss? physical link
error rate? link speed degredation? latency spikes?) and encoding them
all into NetworkManager isn't a flexible solution.  So that gets punted
to dispatcher scripts if you need more detailed metrics to make the
decision of "this connection has failed".

Also important to distinguish between fail-over on the same device, or
fail-over between devices.  NM has some support for both, including
priorities for the default route across all devices, and for
connections for a given device.  I'd think many scenarios could be
handled through dispatcher scripts.

That all said, if there's something missing to help support dispatcher
script-based failover, or there is something that so many people use
that it might as well be included in NM, please let us know!

Dan
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: What NetworkManager does to VPN devices?

[Thomas Haller]

On Tue, 2017-04-11 at 09:17 +1000, Dan Fruehauf wrote:
> G'day,
> 
> I hope that post will not be long, but I've spent a few hours trying
> to narrow down the problem so I can provide as much information
> without wasting anyone's time.
> 
> I started to debug why NetworkManager-ssh (which I maintain) does not
> allow traffic through interfaces (tun interfaces usually) and went
> down a deep rabbit hole, which I'm not entirely sure has got to do
> much with NetworkManager-ssh at the moment.
> 
> What I'm trying to do:
>  * Setup a "poor man's VPN" aka SSH VPN to a remote host (on AWS)
>  * On my machine I should eventually have a tun device with
> 172.16.40.2
>  * On the server machine a tun device with 172.16.40.1
>  * Those two internal addresses should be reachable from one another
> 
> The steps that are usually necessary are:
>  1. SSH to remote machine (with tunnel creation parameters) + run a
> ifconfig command to configure the tun device
>  2. Configure the tun device on the client host with ifconfig
> (ifconfig tun0 ...)
>  3. Replacing default routes etc
> 
> So when NetworkManager-ssh does what it does, the end result is what
> I expect, except that things don't work. Traffic can reach
> 172.16.40.1, but nothing can reach 172.16.40.2. Before you point a
> problem with the server routing tables, please read along.
> 
> I decided to just run the SSH command from the command line,
> eliminating everything that NetworkManager does to the VPN
> connection. What happens here is very unclear to me, but someone
> might be able to explain it quickly. When running the steps 1 & 2
> quickly one after the other - the VPN is setup properly and
> 172.16.40.2 is reachable from the server side. When I see quickly, I
> mean no delay in between, see log for that here (https://paste.fedora
> project.org/paste/QgnyCz7hEuvuLiAiOhtTfl5M1UNdIGYhyRLivL9gydE=). Then
> I can obviously proceed to replacing the default route and so on and
> so forth. VPN works.
> 
> On the other hand, if i introduce a delay of say 5 seconds, it allows
> NetworkManager to have enough time to do something I don't understand
> to the tun0 device which then renders it as unreachable, see log for
> that here (https://paste.fedoraproject.org/paste/0~lxbpwNuIxGUvDwjokW
> 6F5M1UNdIGYhyRLivL9gydE=). I spaced it out a bit where the 5 seconds
> gap appears.
> 
> A few other things to note:
>  * I'm running fedora 24 (with kernel 4.9.9-100.fc24.x86_64 and
> NetworkManager 1.2.6-1)
>  * Selinux is disabled (both on server and client)
>  * firewalld is disabled
>  * When sniffing traffic, all traffic reaches the server
> (172.16.40.1)
>  * Traffic comes back on on the SSH tunnel, but never reaches
> 172.16.40.2 (verified it both with strace and by sniffing)
>  * Routing tables after the VPN is up are identical in both cases (ip
> route show table main), except for metric, but I also tried to modify
> it to be the same and it didn't help either
> 
> So what I'm looking for here is to understand *what* NetworkManager
> does to the tun0 interface that renders it unreachable? And why if I
> don't allow NetworkManager do its thing and configure the interface
> quickly - things actually work?
> 
> My end result is to fix NetworkManager-ssh to do what it should do,
> however at the moment I'm puzzled as to why this simple scenario
> doesn't even work out of NetworkManager-ssh.Any help more than
> appreciated.


Hi Dan,


NM notices that a device tun0 appears and "assumes" the connection.
That process should not modify the interface, in order not to interfere
with whoever created and manages the device. It seems that doesn't work
well here.


It's not clear to me what NM does to interfere with the tun device. But
it would be interesting to see that setting tun0 as unmanaged
avoids the problem.
like:
  [keyfile]
  unmanaged-device=interface-name:tun0
and `killall -SIGHUP NetworkManager`, and reactivate the SSH VPN, and
notice tun0 as unmanaged in `nmcli device`.


With upcoming 1.8, NM was changed to improve the situation here
(https://bugzilla.gnome.org/show_bug.cgi?id=746440).
It would also be interesting to see how 1.8 works there.
It's actually very simple to build a RPM for Fedora of upstream NM, see
  https://wiki.gnome.org/Projects/NetworkManager/Hacking


best,
Thomas

signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Beyond MAC randomization (prevent tracking)

[Thomas Haller]

On Tue, 2017-04-11 at 11:30 -0400, Chris Laprise wrote:
> On 04/10/2017 01:35 PM, Chris Laprise wrote:


Hi Chris,


> > 1. A Study of MAC Address Randomization in Mobile Devices and
> > When it Fails
> > https://arxiv.org/pdf/1703.02874v1.pdf
> 
> 
> 
> A listing of best practices from the paper:
> 
> > Randomize across the entire address, providing
> > 2^46 bits of randomization.

This can be configured via the wifi.scan-generate-mac-address-mask
setting (man NetworkManager.conf). Likewise, there are the per-
connection settings wifi.generate-mac-address-mask and
ethernet.generate-mac-address-mask.
Note, that you can at most randomize 47 bits (to create a unicast MAC
address, see man nm-settings).
By default the local-address bit is set too, leaving you with mentioned
46 bits. The generate-mac-address-mask setting allows you to explicitly
configure which bits are set and/or randomized.



> > Use a random address for every probe request
> > frame.

> > 
> > Remove sequence numbers from probe requests.
> > 
> > If sequence numbers are used, reset sequence
> > number when transmitting authentication and
> > association frames.

All that NM's randomization does, is to configure a MAC address before
issuing the scanning (or before associating). In the logfile you can
grep for "set-hw-addr:".

It does not sync with supplicant beyond that. This needs investigation
what is needed there.


> > Never send probe requests using a global MAC
> > address.

NM should set a random MAC address before requesting the first scan.
So, the permanet MAC address shouldn't leave the device.
(would need testing + verification).


> > Enforce a policy requiring a minimal and stan-
> > dard set of vendor IEs. Move any lost function-
> > ality to the authentication/association process,
> > or upon network establishment utilize discovery
> > protocols.
> > 
> > Specifically, the use of WPS attributes should
> > be removed except when performing P2P opera-
> > tions. Prohibit unique vendor tags such as those
> > introduced by Apple iOS 10.
> > 
> > Eliminate the use of directed probe requests for
> > cellular offloading.
> > 
> > Mandate that chipset firmware remove behavior
> > where RTS frames received while in State 1 elicit
> > a CTS response.

this also seems to affect more the lower layers + supplicant.
Needs investigation.


> Seems like NM and careful configuration might address some of these 
> points...
> 
> 
> (BTW, the usna.edu address appears to be disabled.)


I agree, it would be a worthy task to investigate and fix issues.
Thanks for bringing up this topic.


Thomas

signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list